lots of problems... trojan blue screen, etc

[indigoblues]

this computer is beyond messed up. There is a blue screen for the desktop saying that it's trojan-spy.html.smitfraud.c. i can't install norton antivirus, and i also cannot install S&D. Here's my hijack this log, please help me.

Logfile of HijackThis v1.99.1
Scan saved at 5:08:11 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\xklxmpe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\sfita.exe
C:\wp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\aim\aim.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ciin.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\PROGRA~1\eZula\mmod.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\DOCUME~1\Laura\LOCALS~1\Temp\Rar$EX00.922\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oihke.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {B13E948F-EDD2-89D9-8979-0B3423FEAE5A} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {C109664B-CEB1-420b-B353-D55A561536DD} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [b0tFRWdtj] gsmtract.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [boo] C:\WINDOWS\boo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {5EF28505-9B6D-4D9F-9068-428C8DEB2233} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5EF28505-9B6D-4D9F-9068-428C8DEB2233} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ewpoint.com/script/V1.8/updater/updater.html?
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING11.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

 

[buckaroo]

Download KillBox for use later:

http://www.thespykiller.co.uk/files/killbox.exe



* Download smitRem.zip.

http://noahdfear.geekstogo.com/clic.../click.php?id=1

Save the file to your desktop.
Unzip smitRem.zip to extract the files it contains.
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


* Go here to download CCleaner.

http://www.filehippo.com/download_ccleaner.html

Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.


* Download the trial version of Ewido Security Suite here.

http://www.ewido.net/en/download/

Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.


* Click here for info on how to boot to safe mode if you don't already know how.

http://service1.symantec.com/SUPPOR...001052409420406


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oihke.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {B13E948F-EDD2-89D9-8979-0B3423FEAE5A} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {C109664B-CEB1-420b-B353-D55A561536DD} - (no file)

O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKCU\..\Run: [b0tFRWdtj] gsmtract.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe

O4 - HKCU\..\Run: [boo] C:\WINDOWS\boo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe


......after checking the above entries in HJT, click Fix and REBOOT.

After rebooting open Killbox

Click on Tools>Delete Temp Files

Then,

Check the following boxes:

Unregister .dll before deleting (unless it is greyed out)

Delete on Reboot

Highlight the entries below and then Copy & paste them into the Killbox topmost box.

C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\sf\sf.exe
c:\wp.exe
C:\Program Files\Cas\Client\casclient.exe"
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\WINDOWS\boo.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe

After pasting them into the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes

Note: Killbox will let you know if the file does not exist.


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan.

 

[indigoblues]

i followed your instructions and only got as far as the ewido scan. however, it froze half way through it. I tried to run it again, but i couldn't get it to go past the status screen. Also, i downloaded the CCleaner, but i can't get the program to pop up. what do i do now? please help!

 

[buckaroo]

Please post a current HJT log.

 

[indigoblues]

Logfile of HijackThis v1.99.1
Scan saved at 12:31:56 AM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:..WINDOWS..System32..smss.exe
C:..WINDOWS..system32..winlogon.exe
C:..WINDOWS..system32..services.exe
C:..WINDOWS..system32..lsass.exe
C:..WINDOWS..system32..svchost.exe
C:..WINDOWS..System32..svchost.exe
C:..WINDOWS..system32..LEXBCES.EXE
C:..WINDOWS..system32..spoolsv.exe
C:..WINDOWS..system32..LEXPPS.EXE
C:..WINDOWS..Explorer.exe
C:..Program Files..ewido..security suite..ewidoctrl.exe
C:..WINDOWS..wanmpsvc.exe
C:..Program Files..Messenger..msmsgs.exe
C:..Program Files..sf..sf.exe
C:..Program Files..aim..aim.exe
C:..Program Files..PrecisionTime..PrecisionTime.exe
C:..Program Files..ewido..security suite..ewidoguard.exe
C:..Program Files..Yahoo!..Messenger..ymsgr_tray.exe
C:..WINDOWS..System32..wuauclt.exe
C:..PROGRA~1..Yahoo!..browser..ycommon.exe
C:..Program Files..Yahoo!..browser..ybrwicon.exe
C:..Documents and Settings..Administrator..Desktop..stuff..HijackThis.exe

R0 - HKCU..Software..Microsoft..Internet Explorer..Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU..Software..Microsoft..Internet Explorer..Search,SearchAssistant = res://C:..WINDOWS..oihke.dll/sp.html..28129
R1 - HKCU..Software..Microsoft..Internet Explorer..SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU..Software..Microsoft..Internet Explorer..Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:..WINDOWS..Nail.exe
O4 - HKCU......Run: [MSMSGS] "C:..Program Files..Messenger..msmsgs.exe" /background
O4 - HKCU......Run: [Yahoo! Pager] C:..Program Files..Yahoo!..Messenger..ypager.exe -quiet
O4 - HKCU......Run: [b0tFRWdtj] gsmtract.exe
O4 - HKCU......Run: [sf] C:..Program Files..sf..sf.exe
O4 - HKCU......Run: [WindowsFY] c:..wp.exe
O4 - HKCU......Run: [NetZero_uoltray] C:..Program Files..NetZero..exec.exe regrun
O4 - HKCU......Run: [CAS Client] "C:..Program Files..Cas..Client..casclient.exe"
O4 - HKCU......Run: [Nsv] C:..WINDOWS..System32..nsvsvc..nsvsvc.exe
O4 - HKCU......Run: [vidctrl] C:..WINDOWS..System32..vidctrl..vidctrl.exe
O4 - HKCU......Run: [AIM] C:..Program Files..aim..aim.exe -cnetwait.odl
O4 - HKCU......Run: [boo] C:..WINDOWS..boo.exe
O4 - HKCU......Run: [eZmmod] C:..PROGRA~1..ezula..mmod.exe
O4 - HKCU......Run: [eZWO] C:..PROGRA~1..Web Offer..wo.exe
O4 - Global Startup: PrecisionTime.lnk = C:..Program Files..PrecisionTime..PrecisionTime.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:..Program Files..Yahoo!..Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:..Program Files..Yahoo!..Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:..Program Files..Yahoo!..Common..ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:..Program Files..Yahoo!..Common..ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:..Program Files..Yahoo!..Messenger..yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:..Program Files..Yahoo!..Messenger..yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:..Program Files..aim..aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:..WINDOWS..System32..Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {5EF28505-9B6D-4D9F-9068-428C8DEB2233} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5EF28505-9B6D-4D9F-9068-428C8DEB2233} - (no file) (HKCU)
O12 - Plugin for .spop: C:..Program Files..Internet Explorer..Plugins..NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ewpoint.com/script/V1.8/updater/updater.html?
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING11.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:..Program Files..Yahoo!..common..yinsthelper.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:..nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: ewido security suite control - ewido networks - C:..Program Files..ewido..security suite..ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:..Program Files..ewido..security suite..ewidoguard.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:..WINDOWS..System32..hwclock.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:..WINDOWS..system32..LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:..WINDOWS..svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:..WINDOWS..wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:..WINDOWS..system32..YPCSER~1.EXE

 

[buckaroo]

Check in Add/Remove and uninstall any of the following if present:

Media Pass
Shop at Home
SAH
Bargin buddy

Download about.buster:

http://www.majorgeeks.com/download4289.html

Read the instructions on the site for it's use.

Then download CWShredder:

http://www.trendmicro.com/cwshredder/


After downloading both applications, physically disconnect your PC from the internet. Close your browser and first run about.buster.

Then run CWShredder: click Fix (not scan) and let it do it's thing.

Okay, open Killbox and same directions on its' use as before and copy and paste the following line into the *Full Path to Delete* Box


C:\Program Files\sf\sf.exe
c:\wp.exe
C:\Program Files\Cas\Client\casclient.exe"
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\WINDOWS\boo.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\svcproc.exe

Click the Red Button with the White x on it.

The program will ask you to confirm you want to delete the file on reboot - answer *yes*

The Program will then ask you if you want to reboot, select *NO*


2. Okay, Now, click on Start, then Run ... type cmd and press "OK".

In the next box that opens, type cd\
and press "Enter". Now you'll see the C: prompt ... looks like this: C:\>

Type cd\windows
and then press Enter.

Next, type nail.exe /FullRemove
(make sure there is a space between nail.exe and the /) ... then press Enter.


3. Now open HJT and check the following entries, click Fix and then REBOOT:

R1 - HKCU..Software..Microsoft..Internet Explorer..Search,SearchAssistant = res://C:..WINDOWS..oihke.dll/sp.html..28129
R1 - HKCU..Software..Microsoft..Internet Explorer..SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:..WINDOWS..Nail.exe

O4 - HKCU......Run: [b0tFRWdtj] gsmtract.exe
O4 - HKCU......Run: [sf] C:..Program Files..sf..sf.exe
O4 - HKCU......Run: [WindowsFY] c:..wp.exe

O4 - HKCU......Run: [CAS Client] "C:..Program Files..Cas..Client..casclient.exe"
O4 - HKCU......Run: [Nsv] C:..WINDOWS..System32..nsvsvc..nsvsvc.exe
O4 - HKCU......Run: [vidctrl] C:..WINDOWS..System32..vidctrl..vidctrl.exe

O4 - HKCU......Run: [boo] C:..WINDOWS..boo.exe
O4 - HKCU......Run: [eZmmod] C:..PROGRA~1..ezula..mmod.exe
O4 - HKCU......Run: [eZWO] C:..PROGRA~1..Web Offer..wo.exe

O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...r/updater.html?
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...MARKETING11.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:..nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab

O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility....ckerutility.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe


O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:..WINDOWS..svcproc.exe (file missing)

REBOOT.


Check your ActiveX security settings. They may have been changed by this
CWS variant to allow ALL ActiveX!! Reset your active x security settings
like so... Go to Internet Options > Security > Internet, press 'default level',
then OK. Now press "Custom Level." In the ActiveX section, set the first
two options ("Download signed and unsigned ActiveX controls) to 'prompt',
and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Connect PC to go back online.


Go here for an online AV scan:

http://housecall.trendmicro.com/hou.../start_corp.asp

when doen, go here and download trojan/malware scanner. After installing, download current updates before scanning:

http://www.emsisoft.com/en/software/free/


Reboot and post a current HJT log, okay?